Network security relates to policies adopted by a network administrator or other party charged with authority for operating a computer network. The most common policies involve restricting access to network resources to only those individuals who have authorization to access them. A process known as authentication is commonly employed to restrict network access. In an authentication process, a user is prompted to provide secure identifying information, most commonly consisting of the combination of a user name and password. If the user-entered identifying information matches pre-stored identifying information associated with that user, the network enables access to a set of network resources. In a Web-based client-server system, a server or similar computer may provide a Web-based interface known as a captive portal. In a captive portal system, the captive portal Web page prompts the user to enter a user name and password on the client device. The captive portal system prevents the user from accessing other Web pages unless the user name and password entered by the user is determined to match a pre-stored user name and password. Captive portal systems are especially common in networks providing wireless local area network (WLAN) access.
Network security policies other than a straightforward password-based grant or denial of access are known. For example, a policy may grant certain users access to a certain set of network resources while preventing access by other users who are not authorized to access that set of resources. The terms “privileged user” and “standard user” are commonly used to distinguish between two classes or groups of users. For example, a privileged user may be a network administrator or other user authorized to access network resources that standard users are not authorized to access. Policy enforcement based on such a distinction is sometimes referred to as role-based policy enforcement.
As illustrated in FIG. 1, network 10 can include, for example, a gateway or secure controller 12 interposed between a network switch 14 and a router 16. Secure controller 12 controls authentication and otherwise enforces security policies to control access by client devices 18, 20, 22, etc., to network resources. In the exemplary network 10, secure controller 12 controls client device access to the Internet via router 16.
Network access control in a network topology such as that of network 10 is known as “in-band” because all communications (i.e., data packets) between client devices 18, 20, 22, etc., and the Internet or other protected resource pass through secure controller 12. In other words, secure controller 12 is interposed within the data communications band. In-band network access control suffers from a number of disadvantages. For example, including a specialized secure controller 12, i.e., a complex electronic device that is not a standard network device such as a switch, router, gateway, etc., is uneconomical, especially if redundancy is employed to mitigate the effect of potential failure of secure controller 12.
As illustrated in FIG. 2, in another exemplary network 24, a controller 26 provides out-of-band network access control, as controller 26 is not interposed in the communications band between client devices 28, 30, 32, etc., and the router 34. Controller 26 is essentially a client device that communicates with logic 38 (e.g., a software-based or firmware-based structure) in the switch 40 or other network devices via an application program interface (API). A disadvantage of such a system is that providing network infrastructure (i.e., devices), such as switch 40, with an API through which they can communicate with external devices renders such devices susceptible to malicious third-party access, colloquially referred to as hacking. Also, controller 26 may require complex configuration by a network administrator. Furthermore, while controller 26 is capable of communicating with logic 38 to effect network security, controller 26 may be incapable of communicating with or otherwise controlling a different switch (not shown) or other network device. A switch or other network device produced by one manufacturer may have significantly different logic from such a device produced by another manufacturer, thus requiring a different API.
It would be desirable to provide out-of-band network access control that is readily configurable and that is infrastructure-agnostic, i.e., operates in a similar manner irrespective of the network infrastructure.